[Bug 1790855] Re: [MIR] gpsd

 Christian Ehrhardt  1790855 at bugs.launchpad.net
Wed Sep 19 06:01:02 UTC 2018 

Hi,
I wanted to give an update on the current status.
First of all thanks Mathieu for the reivew.

1. Dependeny:
Yes we are only suggesting from chrony and don't "need" it in main for that (we do not intent to depend/recommened there). Instead we want to seed gpsd to be in main (no default install, just be in main) to make up for the lost function of Time-HW support due to the demotion of ntp.

2. python2 concerns
I agree to your concern to not add new py2, but we only want the gpsd package itself, not all the auxiliary tools in main. And this is a compiled binary, without any python. It will dpeend on libgpsd23 library, but that is non-python as well.
file $(dpkg -L libgps23 gpsd | xargs) | cut -c 42-108 | sort | uniq -c
      7     ASCII text
      3     ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamic
      1     POSIX shell script, ASCII text executable
     24     directory
      7     gzip compressed data, max compression, from Unix, original size
      1     symbolic link to ../libgps23/changelog.Debian.gz
      1     symbolic link to libgps.so.23.0.0
      1 0:  ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamic
      1 gz: gzip compressed data, max compression, from Unix, original size

TL;DR: the binaries we want is gpsd + libgps23 (due to dependency), no
python concerns on these


3. Lintian warnings
You are right, I missed to check these (self-slap) I'd try to work on these somewhen next cycle to get things right.
Note to myself: the base package has a python recommends that is not required IMHO

I hope that after the work for #3 and my explanations for #1 and #2 above we are good from the MIR teams side.
Once I'm done on that I'll open it up for your re-review.


I talked with the security team and they will try to check the package. Hopefully we will get all together for 19.04 - updated packaging, apparmor profile, security review - and can then make this available in main.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gpsd in Ubuntu.
https://bugs.launchpad.net/bugs/1790855

Title:
  [MIR] gpsd

Status in gpsd package in Ubuntu:
  Incomplete

Bug description:
  Availability: GPSD is available since quite a while and builds for all
  architectures

  
  Rationale:
  - The package is the de-facto way to feed GPS HW-based time info into chrony which became the main NTP server with Bionic.
  - All users using HW assisted NTP would be glad to have this in main
  - It is not a dependency for chrony, but we'd seed it to get into main and add a suggest to chrony (while HW people want it the majority of the community is good without, so no depends/recommend)
  - in some way the replacement ntp->chrony was only half of it as ntp had ntp-server AND GPS reading capabilties. This MIR fills the gap created by that.

  
  Security:
  - there two (fairly old) CVEs aganst GPSD
    => https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=gpsd
  - since the above nothing came up, the project itself is active and vital IMHO
    => https://www.openhub.net/p/gpsd
  - One of the issues has a USN, maybe the security team remembers if that was ok or bad back then
    => https://usn.ubuntu.com/1820-1/

  
  Quality assurance:
  - After installing the package just needs to be told on which device to work, then it will gather GPS data (that is as minimal as it can be I'd think).
  - no debconf on install
  - long term this had a few crashes back in 2012-2014 but not much since then (a few actually unrelatred apport reports on postinst issues); nothing should stop considering this for main IMHO 
  => https://bugs.launchpad.net/ubuntu/+source/gpsd
  => https://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=yes&src=gpsd
  - The one related important bug IMHO is bug 1790496 which will add apparmor to GPSD which I'd prefer when we grant it main (I wait on a security review there)
  - "exotic hardware" is part of the GPSD story we (server team) have two kinds of receivers to test but there is a vast array of potential receivers which we will not be able to test all of them.
  - a debian/watch file is in place

  
  UI standards:
  - not a UI package

  
  Dependencies:
  - Dependencies are sane (all in main and not deprecated)
    GPSD:
    Depends: netbase | systemd-sysv, lsb-base (>= 3.2-13), adduser (>= 3.34), libbluetooth3 (>= 4.91), libc6 (>= 2.27), libdbus-1-3 (>= 1.9.14), libusb-1.0-0 (>= 2:1.0.8), libgps23 (= 3.17-5build1)
    Recommends: udev, python
    LIBGPS23
    Depends: libc6 (>= 2.15), libdbus-1-3 (>= 1.9.14), libstdc++6 (>= 5)
  - There are a few universe build-depends, but nothing totally outdated IMHO

  
  Standards compliance:
  - meets the FHS
  - follows (an older) standard 3.9.2

  
  Maintenance:
  - so far was mostly a sync, only now we pick up more work on it.
  - DPB confirmed the server team would take over package subscription and maintainership as owning team

  
  Background information:
  Receiving GPS signals just to do so would be no core value of Ubuntu and not main-worthy. But being the de-facto way to feed the main ntp server (chrony) in Ubunutu with GPS data to improve time makes it a candidate.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gpsd/+bug/1790855/+subscriptions

More information about the foundations-bugs mailing list